Upload
tech-and-law-center
View
3.396
Download
0
Tags:
Embed Size (px)
DESCRIPTION
www.techandlaw.net
Citation preview
Digital Forensics, Privacy and Due Process Rights
Giuseppe Vaciago
Seminar on Cybercrime and Digital Forensics
April 8-12th 2014
EU-Macao Co-operation Programme in the Legal Field (2002-2007)
1. Introduc:on q Digital/Electronic Evidence q Case Law on Digital/Electronic Evidence q Digital forensics Defini7on
2. Digital Forensics Procedure q Iden7fy the suspect q Detec7ng and Seizing Illegal Contents q Valida7ng Digital Evidence q Chain of Custody a@er Seizure q Analysis of Digital Evidence q Repor7ng of Digital Evidence Findings
3. Privacy and Due Process Rights q Surveillance q Cloud Compu7ng: Jurisdic7on and Privacy
Agenda
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
What is Digital/Electronic Evidence?
Digital evidence is ‘any informa,on of eviden,al value whether memorized or sent in a digital format’ -‐ defini,on by the Scien,fic Working Group on Digital Evidence (SWGDE -‐ 1999)
Digital evidence or electronic evidence is ‘any proba,ve informa,on stored or transmiFed in digital form that a party to a court case may use at trial’ (Eoghan Casey -‐ 2004) Electronic evidence is informa,on generated, stored or transmiFed using electronic devices that may be relied upon in court (Council of Europe -‐ 2012)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
What is Digital Electronic/Evidence?
It’s invisible to the
untrained eye
It may need to be
interpreted by an
specialist
It may be altered or destroyed through
normal use
It can be copied
without limits
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Legal Requirements of Digital/Electronic Evidence?
Admissible: compliant with law and best prac,ce
Authen:c: avoid any digital
evidence tampering
Reliable and Believable: readily
understandable to a judge
Propor:onal: respect
fundamental right of par,es affected by the
measure
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
How to find a Digital/Electronic Evidence?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
How to find a Digital/Electronic Evidence?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
There are three types of digital evidence: Created by man: any piece of digital data that is the result of a step or ac,on taken by a human person. Can be one of two types: a) Human to human (mail) b) Human to PC (word document)
Categories of Digital/Electronic Evidence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Created independently by the computer: any piece of digital data that is the result of the processing of data carried out by soUware in accordance with a specific algorithm and without human interven,on (e.g. telephone records or Internet Service Provider logs)
Categories of Digital/Electronic Evidence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Created by both man and the computer: an electronic spreadsheet where the data is entered by the human, while the computer works out the result.
Categories of Digital/Electronic Evidence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
One of the principal characteris,cs of digital evidence is its complexity. One example is the Amero case.
The complex nature of digital evidence (the case of Julie Amero)
Julie Amero is a supply teacher at Kelly School in Norwich, Connec,cut who was found guilty of showing pornography to children under the age of 16
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Julie Amero’s lesson. ‘Inappropriate’
pictures appear as pop -‐ ups on the PC.
The Police look at the content of the hard
disk, but do not take a bit-‐stream copy
The Court finds Julie Amero guilty of
impairing the morals of a child
Julie Amero obtains a new trial in which she is fined 100 dollars
26/10/04 05/01/07 10/11/08 19/10/04
The regular teacher comes into the class room, sees that the cache contains pornographic files and informs the headmaster
20/10/04
The defence team request a new trial on the grounds that the evidence had not been acquired correctly and that
the computer was infected (mousetrapping)
01/06/08
The ‘Amero’ case: :meline
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Mousetrapping and Pagejacking are DNS hijacking techniques that keep users on a site by launching a never ending series of pop-‐ups.
The Amero case: Mousetrapping and Pagejacking
A new trial was held, as:
1) Julie had been a vic,m of mousetrapping, probably as a result of the improper use of the PC by the regular teacher
2) Those inves,ga,ng had not followed any digital forensics procedure (no bit stream copies taken and the analysis carried out between 20 and 26 October was not documented)
3) Julie Amero’s lawyer had not been able to get an expert’s report on the computer prepared for the defence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Digital evidence could be altered and can contain countless pieces of informa,on. The “Garlasco” case is a clear example of this.
Alberto Stasi was acquiFed of murder of his girlfriend, Chiara Poggi, by the Court of first Instance In December 2009 and the judgement was confirmed in the Appeal court in December 2011.
Italian Case Law on Digital Evidence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Chiara Poggi died between 10.30 and
12.00
Stasi voluntarily hands over his PC to the
Police
AUer working on the PC the Police hands it over to the
Scien,fic Inves,ga,on Group
Judge Vitelli of Vigevano acquits Stasi of murder
14/08/07 29/08/07 17/12/09 13/08/07
-‐ Stasi wakes up at 9 -‐ Telephones Chiara Poggi -‐ Works on his thesis
13/08/07
The expert report requested by the judge shows that Stasi was working on his thesis during the
period when Chiara Poggi was killed
17/03/09
The “Garlasco” case: the “IT alibi”
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
What is Digital Forensics ?
Digital forensics, in a tradi,onal sense, is: -‐ get hold of evidence without modifying the IT system in which that evidence is found; -‐ ensure that the evidence acquired in another medium is iden,cal to the original;
-‐ analyse data without modifying it.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
The “Big Five” for Digital Forensics (Council of Europe)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Data Integrity
No ac,on taken should change electronic devices or media, which may subsequently be relied upon in court
Chain of Custody
An audit trail of all ac,ons taken when handling electronic evidence should be created and preserved
Specialist Support
If inves,ga,ons involving search and seizure of electronic evidence it may be necessary to consult external specialists
Appropriate Training
First responders must be appropriately trained to be able to search for and seize electronic evidence if no experts are
available at the scene
Legality The person and agency in charge of the case are responsible for ensuring that the law and the above listed principles
are adhered to
Digital Inves:ga:on Procedure
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Digital Inves:ga:on Procedure
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Iden,fy the Suspect
Detec,ng and Seizing Digital Evidence
Valida,ng Digital Evidence
Chain of Custody
Analysis of Digital Evidence
Presenta,on in the Court
Iden:fy the suspect
When inves,ga,ng Internet crimes, the general approach is as follows:
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
An inves,gator receive a complaint by a vic,m of
cybercrime or detect an illegal content on line
The inves,gator uses the Court System to compel the ISP to reveal a physical loca,on that corresponds to the likely source
of Network (IP Address)
Under a warrant (depend from the Jurisdic,on) the loca,on is searched and any computer or
other devices is seized
Multiple User ID or multiple Ips over time, open Wi-Fi,
Proxy, Botnet Data Retention Directive in EU and Patrioct Act in US OSINT and SOCMINT
Iden:fy the Suspect: Data Reten:on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
• In the wake of the terrorist aFacks in Madrid and London (2004 and 2005 respec,vely), the European Parliament issued Direc:ve 2006/24/EC.
• Data reten:on (or data preserva,on) generally refers to the storage of call detail records (CDRs) of telephony and internet traffic and transac:on data (IPDRs) by governments and commercial organiza,ons.
• Reten,on period: from 6 month to 24 months
• Scope of applica,on: serious crime
Iden:fy the Suspect: Open Issues on Data Reten:on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
1. There is no consistent approach across the EU of the period of reten:on among Member States
2. No defined list of par:es en:tled to request such data
3. ‘Serious crime’ is a generic term It is for these reasons that the Cons,tu,onal Court in certain Member States (Germany, Romania and the Czech Republic) have declared na,onal law implemen,ng the Direc,ve to be uncons,tu,onal, resul,ng in a legisla,ve lacuna that does absolutely nothing to assist inves,ga,ons. In addi,on, Austria and Sweden have decided against implemen,ng the Direc,ve, with heavy penal,es being imposed by the European Commission as a result.
Iden:fy the Suspect: Open Issues on Data Reten:on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Of the 22 Member States that have implemented the Direc,ve:
Reten:on Period
• Thirteen MS have decided that data may be kept for 12 months • Five MS have established a longer period • Four MS have gone for a shorter ,me limit
Concept of Serious Crime
• Ten MS have defined 'serious crime', with reference to a minimum prison sentence, to the possibility of a custodial sentence being imposed, or to a list of criminal offences defined elsewhere in na,onal legisla,on.
• Eight MS require data to be retained not only for inves,ga,on, detec,on and prosecu,on in rela,on to serious crime, but also in rela,on to all criminal offences
• Four MS refers to ‘serious crime’ or ‘serious offence’ without defining it.
Iden:fy the Suspect: Data Reten:on
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
q The prac,cal repercussion of this scenario is the following: when faced with a U.S., German, Austrian or Romanian ISP, law enforcement officers could never be sure if the data they are aUer has long been cancelled or is s,ll in storage.
q On the other side. U.S. Law Enforcement could obtain data from EU. Under Patriot Act, U.S. authori,es are en,tled to subpoena personal data related to non-‐US ci,zen from any company that has “minimum contacts” with the U.S
Patriot Act, Sec. 215. Access To Records And Other Items Under The FISA
Iden:fy the Suspect – OSINT AND SOCMINT
Mr Palazzolo a treasurer for the mafia, on the run for 30 years, was discovered by monitoring his facebook profile.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Face Recogni:on Project Alessandro Acquis7
CCTV Fair Fax Media
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Iden:fy the Suspect – Face Recogni:on Project
Detec:ng and Seizing Digital Evidence: Bit-‐Stream Copy
Anyone wan,ng to seize and validate digital/electronic evidences (content of an e-‐mail or an en,re hard-‐disk) has to respect two fundamental “rules”: Bit-‐Stream Copy and Hash Func:on
The bit-‐stream copy can ‘clone’ the en,re hard-‐disk. It is a par,cular form of duplica,on in which the content of the physical unit is read sequen,ally loading the minimum quan,ty of data that can from ,me to ,me be directed, then recording it in the same sequence on a standard binary file, genera,ng a physical image of the original medium.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Seizing and Valida:ng Digital Evidence: Hash Func:ons
During the forensic analysis of modifiable media, the Hash guarantees the intangible nature of the data that it contains.
The Hash is a unique func:on that operates in one direc,on (meaning that it cannot be reversed), by means of which a document of random length is converted into a limited and fixed length string.
This string represents a sort of ‘digital fingerprint’ of the non-‐encrypted text, and is called the Hash Value or the Message Digest.
If the document is modified even to the slightest extent, then the fingerprint changes as well. In other words, by calcula,ng and recording the fingerprint, and then recalcula,ng it, it can be shown beyond all doubt whether the contents of the file, or the medium, have been altered, even accidentally.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Where and how is the digital/electronic evidence hosted?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Digital Evidence
Third par,es
Suspected PC
ISP, TELCO, BANK
Jurisdiction
ENCRYPTION
Key Mandatory Law
Houston, We Have a Problem!
Why Third Par:es are important during Digital Inves:ga:ons?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Internet Access Provider • Could reveal from which place the email was sent
Mail Account Provider • Could reveal from which places the email account was accessed
Credit Card Company • Could reveal where the goods bought with a cloned credit card were delivered
Example: a forensics analysis reveals that a cybercrime vic,m had received a decep,ve email that installed spying soUware on the
vic,m's machine. What to do?
An inves,ga,ng tool most frequently used for carrying out an on line inves,ga,on is hashing techniques. For example, star,ng with a file containing an illegal content, it is possible to convert it into a message digest and to carry out a fast search inside a storage support (hard drive, flash disk) or within the network (P2P networks).
Ferrari.jpg Ferrari_copy.jpg
HASH SHA-‐1
051ed4dbdb9bcd7957aa7cbb5dfd0e94605cd887
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Detec:ng and Seizing Digital Evidence: Hashing Techniques
What happens if I just change the file in an infinitesimal way?
Ferrari.jpg Ferrari_copy2.jpg
HASH: 051ed4dbdb9bcd7957aa7cbb5dfd0e
94605cd887
HASH: a9fa2933484f828b95c1dde824dea28f
35b509d6
The hash does not match and the search will not generate results
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Detec:ng and Seizing Digital Evidence: Hashing Techniques
For this reason, there are techniques (i.e. fuzzy hashing) or various types of algorithms that allow a “certain degree of similarity” to be iden,fied. A good soUware used is SSDEEP wriFen by Andrew_Tridgell and used for detec,ng spamming.
Online is available: pHash (The open source perceptual hash library)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Detec:ng and Seizing Digital Evidence: Hashing Techniques
The more complex techniques have a 20% degree of error
What does it means? No problem if there are false posi,ves. Human checking is sufficient.
But in the case of false nega:ves?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Detec:ng and Seizing Digital Evidence: Hashing Techniques
False Posi:ves= (i.e., non –obscene packets misclassified as obscene)
False Nega:ves= (i.e., obscene packets incorrectly deemed as non-‐obscene)
The new challenge with Cloud compu,ng is a loss of data loca,on due to: -‐ “Data at rest” does not reside on the device. -‐ “Data in transit” cannot be easily analysed because of encryp,on. -‐ “Data in execu,on” will be present only in the cloud instance The inves,gator who wants to capture the bit-‐stream data of a given suspect image will be in the same situa,on as someone who has to complete a puzzle, whose pieces are scaFered randomly across the globe
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Detec:ng and Seizing Digital Evidence: Cloud Compu:ng
How is it possible to validate online digital evidence and immediately show that a par,cular piece of data on a par,cular online site is certain?
Valida:ng Digital Evidence on line
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Domesday Book (1086): Ink on parchment: legible aler over 900 years. Domesday Book 2 (1983): LaserDisc: illegible aler 15 years.
Whilst the bit is eternal, its storage medium is not. Digital storage media last less than analogue media and devices to read such media last even less.
Chain of Custody of the digital evidence
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Analysis of Digital Evidence
1. Text searches: aimed at scanning files, directories and even en,re file systems for specific text terms
2. Image searches: aimed at iden,fying image files in various formats, and at genera,ng s,ll frames of digitally stored video footage
3. Data recovery: aimed at recovering all files stored on mass memory units, including deleted or damaged data
4. Data discovery: targeted at accessing hidden, encrypted or otherwise protected data
5. Data carving: focused on reconstruc,ng damaged files by retrieving por,ons of their content
6. Metadata recovery and iden:fica:on: this digital forensic tool is par,cularly useful for retracing the ,meline of web accesses and file changes
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Analysis of Digital Evidence: two Italian issue
1. Digital forensics analysis is repeatable or unrepeatable, that is the ques:on….
2. Open Source or Closet source
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
This stage is of key importance for Prosecutors, Judges and lawyers, as the outcome of the trial will depend not only on results achieved, but also the degree of clarity and comprehension of the report. Opera:onal recommenda:ons q Presence of an index q Presence of a glossary and reference notes if there are any
technical terms q Timeline table and flow charts q Presenta,on slides with photos q Possible video-‐recording of opera,ons carried out
Presenta:on in the Court of the digital evidence findings
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Presenta:on in the Court of the digital evidence findings: Murtha Case
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Internet Surveillance Plans
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights -‐ Surveillance
q EU -‐ Echelon Intercep:on System – 2001 q US -‐ Total Informa:on Awareness Program (TIA) – 2002 q UK -‐ Communica:ons Capabili:es Development Program – 2012 q US -‐ Cyber Intelligence Sharing and Protec:on Act (CISPA)-‐ 2013
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights -‐ Surveillance
Privacy and Due Process Rights -‐ Encryp:on
q Encryp,on is the process of obscuring informa,on to make it unreadable without special knowledge
q Encryp,on can be used to ensure secrecy q Encryp,on can be used to hide the fact that encrypted messages
are exchanged q Encryp,on used by criminals can lead to difficul,es collec,ng the
necessary evidence
A possible answer is Encryp,on
Cybercrime
ENCRYPTION
• Encryption is the process of obscuring information to make it unreadable without special knowledge
• Encryption can be used to ensure secrecy
• Encryption can be used to hide the fact that encrypted messages are exchanged
• Encryption used by criminals can lead to difficulties collecting the necessary evidence
Picture removed in print version Bild zur Druckoptimierung entfernt
EXAMPLE PGP
Page: 89
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights -‐ Encryp:on
Legal Solu,on to Fight Encryp,on
United States v. Boucher (2007 WL 4246473)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Case Law on Encrpy:on
Privacy and Due Process Rights-‐ United States v. Boucher, 2-‐19-‐2009 December 17, 2006 -‐ Sebas,en Boucher's laptop computer was inspected when he
crossed the border from Canada into the USA at Derby Line, Vermont. Law Enforcement seized the laptop, ques,oned Boucher and then arrested him on a complaint charging him with transporta,on of child pornography in viola,on of 18 U.S.C. 2252A
December 29, 2006 -‐ When the laptop was switched on and booted, it was not possible to access its en,re storage capability. This was because the laptop had been protected by PGP Disk encryp,on.
January 12, 2007 -‐ A grand jury subpoenaed the defendant to provide the password to the encryp,on key protec,ng the data
November, 29 2007-‐ U.S. Magistrate Judge Jerome Niedermeier of the United States District Court for the District of Vermont stated "Compelling Boucher to enter the password forces him to produce evidence that could be used to incriminate him. This is a evidence obtained in viola:on of filh amendment”. Niedermeier quashed the subpoena
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
“Mandatory Key Disclosure” is legisla,on that require individuals to surrender cryptographic keys to law enforcement. Na,ons vary widely in the specifics of how they implement key disclosure laws.
Some, such as Australia, give law enforcement wide-‐ranging power to compel assistance in decryp,ng data from any party.
Some, such as Belgium, concerned with self-‐incrimina,on, only allow law enforcement to compel assistance from non-‐suspects.
France require only specific third par,es such as telecommunica,ons carriers, cer,fica,on providers, or maintainers of encryp,on services to provide assistance with decryp,on.
Italy doesn’t have a Key Disclosure Laws.
Privacy and Due Process Rights -‐ Mandatory Key Disclosure Laws
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
This legisla,ve instrument doesn’t work. Why? 1. Technical reasons: an expert could always find a way to hide a file 2. Possible viola:on of European Conven:on on Human Rights: Ar,cle 6 Everyone charged with a criminal offence shall be presumed innocent un7l proved guilty according to law
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights -‐ Mandatory Key Disclosure Laws
What is the “new” possible solu,on?
Privacy and Due Process Rights -‐ Mandatory Key Disclosure Laws
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Remote Forensics
Privacy and Due Process Rights – Remote Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
On December 20, 2006: Ar,cle 5.2(11) of the Law on the Protec,on of the Cons,tu,on in North Rhine-‐WestFalia was amended with the introduc,on of provisions on remote intelligence-‐gathering, both online and by accessing informa,on technology systems. Private computer systems could be covertly accessed “remotely”, thanks to soUware (keylogger and sniffer programs) installed on the target system without the owner’s knowledge, for instance, in the form of Trojans incorporated within or disguised as harmless content, by convincing the owner to voluntarily upload the relevant spyware or disclose passwords through cleverly devised social engineering ini,a,ves.
Privacy and Due Process Rights – Remote Forensics
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
On February 27, 2008 The German Cons,tu,onal Court determined that the amendment of NordWestalia Law was uncons,tu,onal as it violated:
The “right to informa,onal self-‐determina,on”
The inviolability of the home
The privacy of correspondence
The Cons,tu,onal Court establishes a new “Right to the Confiden:ality and Integrity of Informa:on Technology Systems” (right to the free development of one’s personality), read in conjunc,on with Ar,cle 1.1 GG (right to human dignity).
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Remote Forensics
Just three years aUer the ruling by the German Cons,tu,onal Court, Germany’s Jus,ce Minister has called for an inves,ga,on aUer authori,es in at least four German states acknowledged using computer spyware to conduct surveillance on ci,zens (Bavaria, Baden-‐WurFemberg, Brandenburg and Lower Saxony)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Aler 3 Years :(
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Cloud Compu:ng
Cloud compu,ng is a model for enabling convenient, on-‐demand network access to a shared pool of configurable resources (e.g., networks, servers, storage, applica,ons, and services) that can be rapidly provisioned and released with minimal effort or management service provider interac,on Cloud compu,ng has five essen:al characteris:cs: (i) On-‐demand self-‐service, (ii) Broad network access, (iii) Resource pooling, (iv) Rapid elas,city, (v) Measured service
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Cloud Compu:ng
From a Legal Standpoint Cloud Compu,ng services have to face these two dis,nct issues: Jurisdic:on: The “loss of loca:on” of digital evidence in the cloud world creates problem of jurisdic,on. With cloud compu,ng, are the documents governed by the law of the state in which they are physically located or by the loca,on of the company possessing them or by the laws of the state where a person resides? Over the last few years, various approaches have been offered to solve this problem. Privacy: The “lack of control” over the data (cloud clients may no longer be in exclusive control of this data and cannot deploy the technical and organisa,onal measures necessary to respect Data Protec,on Law), and the “absence of transparency” (insufficient informa,on regarding the processing opera,on itself) are the main data protec,on risk of cloud compu,ng
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Cloud Compu:ng and Jurisdic:on
We have 4 different possible principle to solve the “loss of loca,on” in a cloudy world: • Territorial principle: the Court in the place where the data is
located has jurisdic,on
• Na:onality principle: the na,onality of the perpetrator is the factor used to establish criminal jurisdic,on.
• “Flag principle”: which basically states that crimes commiFed on ships, aircraU and spacecraU are subject to the jurisdic,on of the flag state.
• “Power of Disposal Approach”: from a prac,cal point of view, a regula,on based on the power of disposal approach would make it feasible for law enforcement to access a suspect’s data within the cloud.
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Cloud Compu:ng and Privacy
Lack of control over the data
Lack of Integrity caused by the sharing of resources
Lack of availability due to lack of interoperability
Lack of intervenability due to the
complexity and dynamics of the outsourcing
chain
Lack of informa:on on processing
(transparency)
Lack of isola:on A cloud provider
may use its physical control over data
from different clients to link personal data.
Lack of confiden:ality in terms of law enforcement requests made directly to a
cloud provider
Lack of intervenability (data subjects’
rights)
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Privacy and Due Process Rights – Cloud Compu:ng and Privacy
Proposal of Regulation
on Data Protection
The right to be forgotten
EU citizens are to be entitled to require
information online to be deleted
Privacy Officer Public bodies and
businesses having a minimum number of
employees are obliged to establish a data protection officer
Security Where information is
lost (which is described as a serious breach),
this will have to be reported, and even
more complex security models will be required
One-Stop-Shop Businesses and
individuals must be able to deal with one single point of contact
Cookies The use of cookies on
line is regulated further, in line with the recent
Cookies Law directive.
Privacy by design: The regulation introduces an
obligation to use technological means to ensure that personal data is automatically processed only to the
extent that is absolutely necessary.
What Authority do you Need to Seize Digital/Electronic Evidence?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Before the Digital Age
Aler the Digital Age
Your professional and private
life
Who is en:tled to have access to Digital/Electronic Evidence?
Macau, April 8-‐12, 2013 -‐ Seminar on Cybercrime and Digital Forensics
Court Order
Wriqen Given Consent (civil proceeding)
Law Enforcement
Given Consent (criminal
proceeding)
Content data, IP and Log File
Registration Data
Content data, IP and Log File related to investigation
Internal Investigation (Corporate Forensics)
Thanks for your aFen,on
Giuseppe Vaciago
Mail: [email protected] Web: h_p://www.techandlaw.net Twi_er: h_ps://twi_er.com/giuseppevaciago Linkedin: h_p://it.linkedin.com/in/vaciago